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Security Classified and Controlled Information: History, 
Status, and Emerging Management Issues 

Summary 

The security classification regime in use within the federal executive branch 
traces its origins to armed forces information protection practices of the World War 
I era. The classification system — designating information, according to prescribed 
criteria and procedures, protected in accordance with one of three levels of 
sensitivity, based on the amount of harm to the national security that would result 
from its disclosure — attained a presidential character in 1940 when President 
Franklin D. Roosevelt issued the initial executive order prescribing these information 
security arrangements. Refinements in the creation, management, and 
declassification of national security information followed over the succeeding 
decades, and continue today. In many regards, these developments represent attempts 
to narrow the bases and discretion for assigning official secrecy to executive branch 
documents and materials. Limiting the quantity of security classified information has 
been thought to be desirable for a variety of important reasons: (1) promoting an 
informed citizenry, (2) effectuating accountability for government policies and 
practices, (3) realizing oversight of government operations, and (4) achieving 
efficiency and economy in government management. 

Because security classification, however, was not possible for some kinds of 
information deemed in some quarters to be “sensitive,” other kinds of designations 
or markings came to be applied to alert federal employees regarding its privileged or 
potentially harmful character. Sometimes these markings derived from statutory 
provisions requiring the protection of a type of information; others were 
administratively authorized with little detail about their use. 

In the current environment, still affected by the long shadow of the terrorist 
attacks of September 11, 2001, several issues have arisen regarding security 
classified and controlled information. Volume is a concern: 8 million new 
classification actions in 2001 jumped to 14 million new actions in 2005, while the 
quantity of declassified pages dropped from 100 million in 2001 to 29 million in 
2005. Expense is vexing: $4.5 billion spent on classification in 2001 increased to 
$7.1 billion in 2004, while declassification costs fell from $232 million in 2001 to 
$48.3 million in 2004, according to annual reports by the Information Security 
Oversight Office (ISOO) of the National Archives and Records Administration 
(NARA). Some agencies were recently discovered to be withdrawing archived 
records from public access and reclassifying them. Critically evaluating this activity, 
ISOO has indicated that the federal government needs to apply a more integrated 
approach among the classifying agencies. The force of, and authority for, 
information control markings, other than security classification labels, have come 
under congressional scrutiny, prompting concerns about their number, variety, lack 
of underlying managerial regimes, and effects. Among those effects, contend the 
Government Accountability Office and the manager of the Information Sharing 
Environment for the intelligence community, is the obstruction of information 
sharing across the federal government and with state and local governments. These 
and related matters, including remedial legislation (H.R. 984, H.R. 4806), are 
examined in this report, which will be updated as events warrant. 
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Security Classified and Controlled 
Information: History, Status, and Emerging 
Management Issues 



Prescribed in various ways, federal policies may require the protection of, or 
provide a privileged status for, certain kinds of information. For the legislative 
branch, for example, the Constitution, in Article I, Section 5, specifies that each 
house of Congress “shall keep a Journal of its Proceedings, and from time to time 
publish the same, excepting such Parts as may in their Judgment require Secrecy.” 
In the next section of the article, a privileged status for certain remarks of Members 
is established when the Constitution indicates that “for any Speech or Debate in 
either House, they shall not be questioned in any other Place.” 

Within the executive branch, it seems likely that one of the earliest-felt needs 
for secrecy concerned preparations and plans for the defense of the country. 
Following long-standing military practice, General George Washington and other 
officers in the Continental Army, seeking to ensure the protection of information, 
had written “Secret” or “Confidential” on strategic communiques to each other in the 
field and to headquarters. There was no immediate formalization of this practice by 
the new federal government, but it was from these roots that security classification 
would emerge. That history is briefly reviewed in the next section of this report. 

The application of security classification subsequently came to be regulated 
through a narrowing of the bases and discretion for assigning official secrecy to 
executive branch materials. Due to that and other information management 
developments, new kinds of designations or markings came to be used to alert federal 
employees about the privileged status or sensitive content of a record or document. 
Sometimes these markings derived from statutory provisions requiring the protection 
of a type of information; many others were administratively created, but lacked 
detailed management regimes. Early congressional experience with these other 
markings is examined, providing a background for considering some of the current 
issues they raise. 

Finally, the report considers some long-standing difficulties attending the 
management of security classified information — controlling the volume of such 
material and attendant costs. It looks, as well, at recent efforts by some agencies to 
withdraw archived records from public access and reclassify them, activity which the 
Information Security Oversight Office (ISOO) of the National Archives and Records 
Administration (NARA) critically evaluated and, as a reform for the underlying 
problem, suggested a more integrated approach among the classifying agencies. 




http://wikileaks.org/wiki/CRS-RL33494 



CRS-2 



Classification Background 

Current security classification arrangements, prescribed by an executive order 
of the President, trace their origins to a March 1940 directive issued by President 
Franklin D. Roosevelt as E.O. 838 1 . 1 This development was probably prompted 
somewhat by desires to clarify the authority of civilian personnel in the national 
defense community to classify information, to establish a broader basis for protecting 
military information in view of growing global hostilities, and to manage better a 
discretionary power seemingly of increasing importance to the entire executive 
branch. Prior to this 1940 order, information had been designated officially secret 
by armed forces personnel pursuant to Army and Navy general orders and 
regulations. The first systematic procedures for the protection of national defense 
information, devoid of special markings, were established by War Department 
General Orders No. 3 of February 1912. Records determined to be “confidential” 
were to be kept under lock, “accessible only to the officer to whom intrusted.” Serial 
numbers were issued for all such “confidential” materials, with the numbers marked 
on the documents, and lists of same kept at the offices from which they emanated. 
With the enlargement of the armed forces after the entry of the United States into 
World War I, the registry system was abandoned, and a tripartite system of 
classification markings was inaugurated in November 1917 with General Orders No. 
64 of the General Headquarters of the American Expeditionary Force. 

During World War n, in addition to the President’s order and prevailing armed 
forces directives on marking and handling classified information, the Office of War 
Information, in September 1942, issued a government- wide regulation on creating 
and managing classified materials. Among other ad hoc arrangements of the era, 
personnel cleared to work on the Manhattan Project for the production of the atomic 
bomb, in committing themselves not to disclose protected information improperly, 
were “required to read and sign either the Espionage Act or a special secrecy 
agreement,” establishing their awareness of their secrecy obligations and a fiduciary 
trust which, if breached, constituted a basis for their dismissal. 2 

A few years after the conclusion of World War n, President Harry S. Truman, 
in February 1950, issued E.O. 10104, which, while superseding E.O. 8381, basically 
reiterated its text, but added to Restricted, Confidential, and Secret a fourth Top 
Secret classification designation, making American information security categories 
consistent with those of our allies. 3 At the time of the promulgation of this order, 
however, plans were underway for a complete overhaul of the classification program, 
which would result in a dramatic change in policy. 



1 3 C.F.R., 1938-1943 Comp., pp. 634-635. 

2 Anthony Cave Brown and Charles B. MacDonald, eds., The Secret History of the Atomic 
Bomb (New York: Dial Press/James Wade, 1977), p. 201. 

3 3 C.F.R., 1949-1953 Comp., pp. 298-299. 
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E.O. 10290, issued in September 1951, introduced three sweeping innovations 
in security classification policy. 4 First, the order indicated the Chief Executive was 
relying upon “the authority vested in me by the Constitution and statutes, and as 
President of the United States” in issuing the directive. This formula appeared to 
strengthen the President’s discretion to make official secrecy policy: it intertwined 
his responsibility as Commander in Chief with the constitutional obligation to “take 
care that the laws be faithfully executed.” 5 Second, information was now classified 
in the interest of “national security,” a somewhat new, but nebulous, concept, which, 
in the view of some, conveyed more latitude for the creation of official secrets. It 
replaced the heretofore relied upon “national defense” standard for classification. 
Third, the order extended classification authority to nonmilitary entities throughtout 
the executive branch, to be exercised by, presumably but not explicitly limited to, 
those having some role in “national security” policy. 

The broad discretion to create official secrets granted by E.O. 10290 engendered 
widespread criticism from the public and the press. In response, President Dwight 
D. Eisenhower, shortly after his election to office, instructed Attorney General 
Herbert Brownell to review the order with a view to revising or rescinding it. The 
subsequent recommendation was for a new directive, which was issued in November 
1953 as E.O. 10501. 6 It withdrew classification authority from 28 entities; limited 
this discretion in 17 other units to the agency head; returned to the “national defense” 
standard for applying secrecy; eliminated the “Restricted” category, which was the 
lowest level of protection; and explicitly defined the remaining three classification 
areas to prevent their indiscriminate use. 7 

Thereafter, E.O. 10501, with slight amendment, prescribed operative security 
classification policy and procedure for the next two decades. Successor orders built 
on this reform. These included E.O. 1 1652, issued by President Richard M. Nixon 
in March 1972, 8 followed by E.O. 12065, promulgated by President Jimmy Carter in 
June 1978. 9 For 30 years, these classification directives narrowed the bases and 
discretion for assigning official secrecy to executive branch documents and materials. 
Then, in April 1982, this trend was reversed with E.O. 12356, issued by President 



4 Ibid., pp. 789-797. 

5 In Environmental Protection Agency v. Mink, Supreme Court Associate Justice Byron 
White, delivering the majority opinion, proffered that “Congress could certainly have 
provided that the Executive Branch adopt new procedures” for the security classification of 
information, “or it could have established its own procedures — subject only to whatever 
limitations the Executive [or constitutional separation of powers] privilege may be held to 
impose upon such congressional ordering.” 410 U.S. 73, 83 (1973). 

6 3 C.F.R., 1949-1953 Comp., pp. 979-986. 

7 U.S. Commission on Government Security, Report of the Commission on Government 
Security (Washington: June 1957), pp. 155-156. 

8 3 C.F.R., 1971-1975 Comp., pp. 678-690. 

9 3 C.F.R., 1978 Comp., pp. 190-205. 
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Ronald Reagan. 10 This order expanded the categories of classifiable information, 
mandated that information falling within these categories be classified, authorized 
the reclassification of previously declassified documents, admonished classifiers to 
err on the side of classification, and eliminated automatic declassification 
arrangements. 11 

President William Clinton returned security classification policy and procedure 
to the reform trend of the Eisenhower, Nixon, and Carter Administrations with E.O. 
12958 in April 1995. 12 Adding impetus to the development and issuance of the new 
order were changing world conditions: the democratization of many eastern European 
countries, the demise of the Soviet Union, and the end of the Cold War. 
Accountability and cost considerations were also significant influences. In 1985, the 
temporary Department of Defense (DOD) Security Review Commission, chaired by 
retired General Richard G. Stilwell, declared that there were “no verifiable figures 
as to the amount of classified material produced in DOD and in defense industry each 
year.” Nonetheless, it concluded that “too much information appears to be classified 
and much at higher levels than is warranted.” 13 In October 1993, the cost of the 
security classification program became clearer when the General Accounting Office 
(GAO) reported that it was “able to identify government-wide costs directly 
applicable to national security information totaling over $350 million for 1992.” 
After breaking this figure down — it included only $6 million for declassification 
work — the report added that “the U.S. government also spends additional billions 
of dollars annually to safeguard information, personnel, and property.” 14 E.O. 12958 
set limits for the duration of classification, prohibited the reclassification of properly 
declassified records, authorized government employees to challenge the classification 
status of records, reestablished the balancing test of E.O. 12065 (weighing the need 
to protect information vis-a-vis the public interest in its disclosure), and created two 
review panels — one on classification and declassification actions and one to advise 
on policy and procedure. 

Most recently, in March 2003, President George W. Bush issued E.O. 13292 
amending E.O. 1295 8. 15 Among the changes made by this directive were adding 
infrastructure vulnerabilities or capabilities, protection services relating to national 
security, and weapons of mass destruction to the categories of classifiable 
information; easing the reclassification of declassified records; postponing the 
automatic declassification of protected records 25 or more years old, beginning in 



10 3 C.F.R., 1982 Comp., pp. 166-178. 

11 See Richard C. Ehlke and Harold C. Relyea, “The Reagan Administration Order on 
Security Classification: A Critical Assessment,” Federal Bar News & Journal, vol. 30, Feb. 
1983, pp. 91-97. 

12 3 C.F.R., 1995 Comp., pp. 333-356. 

13 U.S. Department of Defense, Department of Defense Security Review Commission, 
Keeping the Nation’s Secrets (Washington: GPO, 1985), pp. 48-49. 

14 U.S. General Accounting Office, Classified Information: Costs of Protection Are 
Integrated with Other Security Costs, GAO Report GAO/NSIAD-94-55 (Washington: Oct. 
1993), p. 1. 

15 3 C.F.R., 2003 Comp., pp. 196-218. 




http://wikileaks.org/wiki/CRS-RL33494 



CRS-5 



mid- April 2003 to the end of December 2006; eliminating the requirement that 
agencies prepare plans for declassifying records; and permitting the Director of 
Central Intelligence to block declassification actions of the Interagency Security 
Classification Appeals Panel, unless overruled by the President. 

The security classification program has evolved over 66 years. One may not 
agree with all of its rules and requirements, but attention to detail in its policy and 
procedure result in a significant management regime. The operative presidential 
directive, as amended, defines its principal terms. Those who are authorized to 
exercise original classification authority are identified. Exclusive categories of 
classifiable information are specified, as are the terms of the duration of 
classification, as well as classification prohibitions and limitations. Classified 
information is required to be marked appropriately along with the identity of the 
original classifier, the agency or office of origin, and a date or event for 
declassification. Authorized holders of classified information who believe that its 
protected status is improper are “encouraged and expected” to challenge that status 
through prescribed arrangements. Mandatory declassification reviews are also 
authorized to determine if protected records merit continued classification at their 
present level, a lower level, or at all. Unsuccessful classification challenges and 
mandatory declassification reviews are subject to review by the Interagency Security 
Classification Appeals Panel. General restrictions on access to classified information 
are prescribed, as are distribution controls for classified information. The ISOO, 
within NARA, is mandated to provide central management and oversight of the 
security classification program. If the director of this entity finds that a violation of 
the order or its implementing directives has occurred, it must be reported to the head 
of the agency or to the appropriate senior agency official so that corrective steps, if 
appropriate, may be taken. In general, very little of this management structure 
attends information control markings other than Confidential , Secret , and Top Secret. 



Control Markings Discovered 

In March 1972, a subcommittee of the House Committee on Government 
Operations — now the House Committee on Government Reform — launched the 
first oversight hearings on the administration and operation of the Freedom of 
Information Act (FOIA). Enacted in 1966, the FOI Act had become operative in July 
1967. In the early months of 1972, the Nixon Administration was developing new 
security classification policy and procedure, which would be prescribed in E.O. 
11652, issued in early March. The subcommittee’s strong interest in this directive 
was reflected in its unsuccessful attempt to receive testimony from one of the 
directive’s principal architects, David Young, Special Assistant to the National 
Security Council. The subcommittee sought his testimony as it examined the way 
in which the new order “will affect the economic and efficient operation of our 
security classification system, the rationale behind its various provisions, and 
alternatives to the present approach.” 16 Although Young, through White House 



16 Letter to David Young, Apr. 24, 1972, appearing in U.S. Congress, House Committee on 
Government Operations, U.S. Government Information Policies and Practices — Security 

(continued...) 
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Counsel John Dean III, declined the invitation to testify, the subcommittee was more 
successful in obtaining department and agency responses to its August 1971 
questionnaire, which, among other questions, asked, “What legend is used by your 
agency to identify records which are not classifiable under Executive Order 10501 
[the operative order at the time] but which are not to be made available outside the 
government?” 17 Of 58 information control markings identified in response to this 
question, the most common were For Official Use Only (11 agencies); Limited 
Official Use (nine agencies); Official Use Only (eight agencies); Restricted Data (five 
agencies); Administratively Restricted (four agencies); Formerly Restricted Data 
(four agencies); and Nodis, or no dissemination (four agencies). Seven other 
markings were used by two agencies in each case. 18 A CRS review of the agency 
responses to the control markings question prompted the following observation: 

Often no authority is cited for the establishment or origin of these labels; even 
when some reference is provided it is a handbook, manual, administrative order, 
or a circular but not statutory authority. Exceptions to this are the Atomic 
Energy Commission, the Defense Department and the Arms Control and 
Disarmament Agency. These agencies cite the Atomic Energy Act, N.A.T.O. 
related laws, and international agreements as a basis for certain additional labels. 

The Arms Control and Disarmament Agency acknowledged it honored and 
adopted State and Defense Department labels. 19 

At a May 1, 1972, hearing on the relationship of the FOI Act to the security 
classification system, Chairman William S . Moorhead of the Foreign Operations and 
Government Information Subcommittee (Committee on Government Operations) 
wondered aloud how the act’s nine exemptions to the rule of disclosure could be 
expanded to the multiple information control markings which the departments and 
agencies had indicated they were using. 20 The following day, when the hearing 
continued, William D. Blair, Jr., Deputy Assistant Secretary for Public Affairs at the 
Department of State, explained that some information control markings were used 
to route otherwise classified information to a limited group of recipients, “those 
people who have responsibility for the subject matter concerned.” He then addressed 
the relationship question raised by Chairman Moorhead, saying: 

But if a question came in under the Freedom of Information Act or from the 
Congress or other representative of the public for that given document, the fact 
that it is marked, let’s say, NODIS, is not relevant. What is relevant to the 
making available of that document to the public is whether or not it was properly 



16 (...continued) 

Classification Problems Involving Subsection (b)(1) of the Freedom of Information Act ( Part 
7), hearings, 92 nd Cong., 2 nd sess. (Washington: GPO, 1972), pp. 2452-2453. 

17 U.S. Congress, House Committee on Government Operations, U.S. Government 
Information Policies and Practices — Security Classification Problems Involving 
Subsection (b)(1) of the Freedom of Information Act (Part 7), hearings, 92 nd Cong., 2 nd sess. 
(Washington: GPO, 1972), p. 2930 (emphasis in original). 

18 See ibid., pp. 2933-2934. 

19 Ibid., p. 2932. 

20 Ibid., p. 2284. 
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classified under the Executive order and whether or not the Freedom of 
Information Act. for example, once we have reviewed the document, still 
pertains, whether we feel that the need for the classification still pertains and 
whether, in fact, we are authorized under the act to withhold it. 21 

A moment thereafter, he explained another marking, which was not applied to 
route classified information, but apparently had the same effect as a security 
classification protective marking: 

“Limited official use” is not a fixed distribution channel, such as some of these 
other terms you have mentioned. It simply is an administrative red flag put on 
that document which means that the document should be given the same degree 
of protection, physical protection as a classified document even though it is not, 
under the Executive order, classifiable. 22 

However, when asked if, in applying this particular marking, “you mean to 
exclude all individuals outside the Department, subject to the Freedom of 
Information Act, where they can go to court to obtain it,” Blair’s response indicated 
that the use of the marking was somewhat more complicated than functioning as a 
parallel security label, when he said: 

Not necessarily sir. That may be the case. For instance, one set of files on which 
we use “Limited official use” quite commonly is personnel files. Well, we would 
be very likely to deny those personnel files if they were requested by a member 
of the public, on quite different grounds from classification — on grounds of 
invasion of privacy. But on the other hand we may use a term like “Limited 
official use” on an internal advisory document which we may be authorized 
under the Freedom of Information Act to withhold if it were requested; but we 
might decide not to claim that authority. 23 

Although an attempt was made to obtain further explanation of how information 
control markings were used, the questioner, a subcommittee staff member, concluded 
“that all you have convinced me of is to reinforce my belief that a distribution 
marking is merely a more restrictive or stricter type of classification marking.” 24 

Later in the hearing, in an exchange with the subcommittee’s staff director, 
DOD General Counsel J. Fred Buzhardt made another attempt to clarify the use of 
control markings: 

In the first place, you have a determination as to whether the material is to be 
classified. Once the decision is made that the information should be classified, 
then the limitation of access has to do with the protection of that which is 
classified. We also have the responsibility to control the dissemination. That is 
what these access limitations are for, to control dissemination, to confine access 



21 Ibid., pp. 2477-2478. 

22 Ibid., p. 2478. 

23 Ibid. 

24 Ibid., p. 2479. 
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to the people who have a need to know to work with the information. It is a 
protection device. We must use protective devices of some sort. 25 

Asked if the control markings, such as eyes only, were applied to material that 
was not classified, Buzhardt said: 

1 presume you wouldn’t find “eyes only” in an authorized way upon any 
document that was not classified by one of the classifiers. Once it is classified 
you can use limitations on distribution to protect it. That is a protective device. 26 

To this response, Blair added: 

The purpose of classification is to determine what information is or is not 
available to the public outside of the government. These labels that you are 
referring to have nothing to do with that. They have absolutely no value for 
determining what information or what document may be given to a member of 
the public. They are simply a mailing device, if you like, a means by which a 
superior determines which of his subordinates he wishes to deal with this 
particular matter and be aware of this particular information. 27 

These explanations of information control markings being used as devices to 
limit the distribution of classified information within DOD and the State Department, 
however, did not appear to extend to all such markings. Blair, for instance, had 
testified that the Limited official use marking was applied, in his words, “quite 
commonly” to personnel files, which, for the most part, were not security classifiable 
materials at that time. Several entities indicating they used information control 
markings had no original classification authority. These included, among others, the 
American Revolution Bicentennial Commission (ARBC), the Department of Housing 
and Urban Development, and the Federal Trade Commission (FTC). 28 Does this 
situation mean that the control markings of these entities were applied only to limit 
the distribution of classified information received from other agencies? That is 
possible, but seems unlikely. The ARBC control marking, Administratively 
confidential, appears to have been designed for information of a different character 
from national security classified materials, while the FTC label, For staff use only, 
does not appear to have provided much limitation on the distribution of classified 
information. 

Before this phase of the oversight hearings on the FOI Act concluded, the 
subcommittee received testimony from Assistant Attorney General Ralph E. Erickson 
of the Office of Legal Counsel, Department of Justice, on May 11, 1972. During the 
course of his appearance before the subcommittee to discuss E.O. 1 1652, the use of 
control markings to limit the distribution of classified information was raised with 
the following question from the subcommittee’s staff director: 



25 Ibid., p. 2497. 

26 Ibid. 

27 Ibid., pp. 2497-2498. 

28 See ibid., p. 2935. 
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Can you assure us today that these kinds of distribution access stamps will not 
be used on unclassified material in any Executive agency or department? If you 
can guarantee that, then 1 will go along and say [Section] 4(a) is a big 
improvement. But I do not think that is going to be the case from other testimony 
we have had. I think people are going to substitute LIMDIS, NODIS, and all 
these other stamps for the stamps authorized under the Executive order and we 
are going to proliferate more and more and more. 29 

Erickson offered a two part response: 

First, it is our hope within the Department of Justice and 1 think in other 
agencies, too, that the use of this sort of a restricted distribution will be severely 
limited or removed. But, more importantly, it [Section 4(a)] specifically limits 
the use of such designations to the point where they must conform with the 
provision of this order and would have no effect in terms of classification. It will 
not prevent the information from otherwise being made available. It may in part 
restrict the distribution within the department but certainly if a request were 
made under the Freedom of Information Act it has no applicability. 30 

He assured his questioner that control markings used to limit the distribution of 
classified information “will not have any effect on disclosure” under the FOI Act, and 
would not, in themselves, be a bar to disclosure. 

Later, in May 1 973, when reviewing this phase of the subcommittee’ s oversight 
hearings, a report by the parent Committee on Government Operations commented: 

One of the difficult problems related to the effective operation of the security 
classification system has been the widespread use of dozens of special access, 
distribution, or control labels, stamps, or markings on both classified and 
unclassified documents. Such control markings were not specifically authorized 
in Executive Order 10501, but have been utilized for many years by many 
executive agencies having classification authority and dozens of other agencies 
who do not possess such authority. The use of such stamps has, in effect, been 
legitimized in section 9 of the new Executive Order 1 1652. 31 

On this matter, the report concluded that, “while there is a clear rationale for the 
use of such access or control markings, the basic problem is the effect of the 
proliferation of their use on the effective operation of the classification system. This 
problem,” it continued, “fully explored with executive branch witnesses during the 
hearings, is one that this committee believes should be carefully monitored by the 
[newly created] Interagency Classification Review Committee and by department 



29 Ibid., pp. 2705-2706. 

30 Ibid., p. 2706. 

31 U.S. Congress, House Committee on Government Operations, Executive Classification 
of Information — Security Classification Problems Involving Exemption (b)(1) of the 
Freedom of Information Act (5 U.S.C. 552), H.Rept. 93-221, 93 rd Cong., 2 nd sess. 
(Washington: GPO, 1973), p. 75. 
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heads to assure that it does not interfere with the overall effectiveness and integrity 
of the classification system.” 32 



Control Markings Today 

That such interference with the security classification program by these types 
of information control markings — in terms of both their confusion and presumed 
coequal authority with classification markings — has occurred in the post-9/11 
environment may be discerned in a press account. In late January 2005, GCN 
Update , the online, electronic news service of Government Computer News, reported 
that “dozens of classified Homeland Security Department documents” had been 
accidently made available on a public Internet site for several days due to an apparent 
security glitch at the Department of Energy. Describing the contents of the 
compromised materials and reactions to the breach, the account stated the 
“documents were marked ‘for official use only,’ the lowest secret-level 
classification.” The documents, of course, were not security classified, because the 
marking cited is not authorized by E.0. 12958. Interestingly, however, in view of the 
fact that this misinterpretation appeared in a story to which three reporters 
contributed, perhaps it reflects, to some extent, the current state of confusion about 
the origin and status of various new information control markings which have 
appeared of late. 33 In some instances, the phraseology of the markings is new, and, 
in at least one case, the asserted authority for the label is, unlike most of those of the 
past, statutory. Among the problems they generate, however, the one identified over 
three decades ago by the House Committee on Government Operations endures. 

Broadly considering the contemporary situation regarding information control 
markings, a recent information security report by the JASON Program Office of the 
MITRE Corporation proffered the following assessment: 

The status of sensitive information outside of the present classification system 
is murkier than ever.... “Sensitive but unclassified” data is increasingly defined 
by the eye of the beholder. Lacking in definition, it is correspondingly lacking 
in policies and procedures for protecting (or not protecting) it, and regarding how 
and by whom it is generated and used. 34 

A contemporaneous Heritage Foundation report appeared to agree with this 
appraisal, saying: 

The process for classifying secret information in the federal government is 
disciplined and explicit. The same cannot be said for unclassified but security- 
related information for which there is no usable definition, no common 



32 Ibid., p. 78. 

33 Patience Wait, “DHS Classified Briefings Leaked Through Energy System,” GCN Update, 
Jan. 27, 2005, available at [http://www.gcn.com/online/voll_nol/34907-l.html]; credited 
as contributing to this story were GCN staff writers Susan M. Menke and Mary Mosquera. 

34 MITRE Corporation, JASON Program Office, Horizontal Integration: Broader Access 
Models for Realizing Information Dominance (McLean, VA: Dec. 2004), p. 5. 
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understanding about how to control it. no agreement on what significance it has 
for U.S. national security, and no means for adjudicating concerns regarding 
appropriate levels of protection. 35 

Concerning the current Sensitive But Unclassified (SBU) marking, a 2004 report 
by the Federal Research Division of the Library of Congress commented that 
guidelines for its use are needed, and noted that “a uniform legal definition or set of 
procedures applicable to all Federal government agencies does not now exist.” 
Indeed, the report indicates that SBU has been utilized in different contexts with little 
precision as to its scope or meaning, and, to add a bit of chaos to an already 
confusing situation, it is “often referred to as Sensitive Homeland Security 
Information.” 36 

Assessments of the variety, management, and impact of information control 
markings, other than those prescribed for the classification of national security 
information, have been conducted by CRS, GAO, and the National Security Archive, 
a private-sector research and resource center located at The George Washington 
University. In March 2006, GAO indicated that, in a recent survey, 26 federal 
agencies reported using 56 different information control markings to protect sensitive 
information other than classified national security material. 37 That same month, the 
National Security Archive offered that, of 37 agencies surveyed, 24 used 28 control 
markings based on internal policies, procedures, or practices, and eight used 10 
markings based on statutory authority. 38 These numbers are important in terms of the 
variety of such markings. GAO explained this dimension of the management 
problem: 

[TJhere are at least 13 agencies that use the designation For Official Use Only 
[FOUO], but there are at least five different definitions of FOUO. At least seven 
agencies or agency components use the term Law Enforcement Sensitive (LES), 
including the U.S. Marshals Service, the Department of Homeland Security 
(DHS), the Department of Commerce, and the Office of Personnel Management 
(OPM). These agencies gave differing definitions for the term. While DHS does 
not formally define the designation, the Department of Commerce defines it to 
include information pertaining to the protection of senior government officials, 
and OPM defines it as unclassified information used by law enforcement 
personnel that requires protection against unauthorized disclosure to protect the 



35 James Jay Carafano and David Heyman, “DHS 2.0: Rethinking the Department of 
Homeland Security,” Heritage Special Report SR-02 (Washington: Dec. 13, 2004), p. 20. 

36 U.S. Library of Congress, Federal Research Division, Laws and Regulations Governing 
the Protection of Sensitive but Unclassified Information , by Alice R. Buchalter, John Gibbs, 
and Marieke Lewis (Washington: Sept. 2004), p. i. 

37 U.S. Government Accountability Office, Information Sharing: The Federal Government 
Needs to Establish Policies and Processes for Sharing Terrorism- Related and Sensitive but 
Unclassified Information, GAO Report GAO-06-385 (Washington: Mar. 2006), pp. 5, 25. 

38 National Security Archive, Pseudo-Secrets: A Freedom of Information Act Audit of the 
U.S. Government’ s Policies on Sensitive Unclassified Information (Washington: Mar. 2006), 
pp. 9-11. 
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sources and methods of investigative activity, evidence, and the integrity of 
pretrial investigative reports. 39 

Apart from the numbers, however, is another aspect of the management 
problem, which GAO described in the following terms: 

There are no governmentwide policies or procedures that describe the basis on 
which agencies should use most of these sensitive but unclassified designations, 
explain what the different designations mean across agencies, or ensure that they 
will be used consistently from one agency to another. In this absence, each 
agency determines what designations to apply to the sensitive but unclassified 
information it develops or shares. 40 



Comparison of Sensitive Security 
Information (SSI) Policies 

To identify some of the management problems and concerns attending current 
information control markings, the following case study comparison is provided. 
Sensitive Security Information (SSI) refers to a specific category of government 
information that has been deemed to require protection against unauthorized 
disclosure. It is both a concept and a control marking used by the Department of 
Agriculture (USDA), on the one hand, and jointly by the Transportation Security 
Administration (TSA) of the Department of Homeland Security as well as by the 
Department of Transportation, on the other hand, but with different underlying 
authorities, conceptualizations, and management regimes for it. 

USDA Marking 

Sensitive Security Information (SSI) appears to be a relatively new information 
concept and control marking for USDA. Other similar designations, however, are 
also in use within the department. An information security program statement 
indicates that “USDA refers to unclassified sensitive information as ‘Sensitive 
Security Information’ (SSI). Basically,” it continues, “it’s to be treated the same as 
‘Sensitive But Unclassified Information’ or ‘For Official Use Only Information.’” 41 
As a USDA website page, this document provides links to a USDA SSI cover sheet 
and the department’s SSI management regulation, both of which are printable, and 
a brief Power Point presentation designed to assist USDA employees in 
understanding the SSI concept. Another USDA website page provides more details 
concerning For Official Use Only (FOUO) and similar designations. It states at the 



39 U.S. Government Accountability Office, Information Sharing: The Federal Government 
Needs to Establish Policies and Processes for Sharing Terrorism- Related and Sensitive but 
Unclassified Information , p. 24. 

40 Ibid., p. 5. 

41 U.S. Department of Agriculture, Personnel and Document Security Division, Office of 
Procurement and Property Management, “Information Security Program,” undated, available 
at [http://www.usda.gov/da/infosec/sensitive.htm] . 
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outset that FOUO “is a document designation, not a classification,” and explains that 
this term is used by “a number of other federal agencies to identify information or 
material which, although unclassified, may not be appropriate for public release.” 
Some of these other agencies are identified, as are some agencies which use different, 
but comparable, designations, which are provided as well. The discussion of FOUO, 
which relies upon Department of Defense policy and practice, cautions that 
information so marked “does not mean it is automatically exempt from public release 
under” the Freedom of Information Act (FOIA), specifies how unclassified 
documents and materials containing FOUO shall be marked and safeguarded, and 
warns that “[administrative penalties may be imposed for misuse of FOUO 
information,” as well as criminal penalties, “depending on the actual content of the 
information (privacy, export control, etc.).” 42 

Sensitive but Unclassified (SBU) information is discussed in Chapter 10, part 
2, of the USDA Cyber Security Manual, Series 3500, also known as DM3550-02 of 
February 17, 2005. SBU information is identified, in part, in terms of examples, 
which include: “Social Security Numbers, Employee Emergency Data, For Official 
Use Only Documents, For Limited Official Use Documents, Funding/Budget 
Documents, Grant/Contract Documents, FT [information technology] Security Plans, 
Formulas/Trade Secrets, Internet Protocol (IP) Addresses, Network Design 
Diagrams.” 43 Thus, another information control designation, For Limited Official 
Use, is identified, and, furthermore, the chapter states that “SBU information also 
includes Sensitive Security Information (SSI),” but notes, as the examples reflect, 
“the SBU category contains information that is not security related but is still 
sensitive in terms of its risk of exposure.” 44 Thereafter, the chapter refers to 
“SBU/SSI.” Various procedures for the processing, handling, and storage of 
SBU/SSI are specified. 45 Among these is a stipulation that access to SBU/SSI “will 
be provided to employees with a Need-To-Know,” a standard long-governing access 
to security classified information. Furthermore, “when SBU/SSI data must be shared 
with contractors and entities outside USDA a Non-Disclosure Agreement Form ... 
must be executed ... to preclude possible organizational or personal conflicts of 
interest.” 46 A copy of this agreement is provided at the end of the chapter. It 
concludes with a specification of various management responsibilities. 



42 U.S. Department of Agriculture, Personnel and Document Security Division, Office of 
Procurement and Property Management, “For Official Use Only (FOUO) and Similar 
Designations,” undated, available at [http://www.usda.gov/da/ocpm/Security%20Guide/ 
S2unclas/Fouo.htm] . 

43 U.S. Department of Agriculture, Office of the Chief Information Officer, USDA Cyber 
Security Manual, Series 3500 , Chapter 10, part 2 (DM3550-002), Feb. 17, 2005, p. 8, 
chapters separately dated and available at [http://www.ocio.usda.gov/directives/index.html], 

44 Ibid., p. 1. 

45 Ibid., pp. 3-4. 

46 Ibid., p. 4 (emphasis in original). 
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USDA Management 

The control and protection of Sensitive Security Information (SSI) is discussed 
in USDA Departmental Regulation 3440-002 of January 30, 2003. 47 The regulation 
specifies that the “USDA will withhold from release sensitive information that is not 
appropriate for public disclosure consistent with laws, regulations and court 
decisions,” but also stresses that, “if USDA originates documents that it believes 
should be classified, Departmental Administration (DA) should be notified as soon 
as possible.” As noted earlier, the Secretary of Agriculture was presidentially 
authorized to classify information originally as Secret (but not Top Secret ) in 
September 2002. The regulation also proffers the following proscription: 
“Information must not be designated as Sensitive Security Information (SSI) to 
conceal violations of law; inefficiency; administrative error; prevent embarrassment 
to a person, organization, department or agency; or restrain competition.” This ban 
is similar to one prescribed for security classification. 48 

The regulation provides a lengthy definition of SSI, set out below: 

Sensitive Security Information means unclassified information of a sensitive 
nature, that if publicly disclosed could be expected to have a harmful impact on 
the security of Federal operations or assets, the public health or safety of the 
citizens of the United States or its residents, or the nation’s long-term economic 
prosperity; and which describes, discusses, or reflects: 

1. The ability of any element of the critical infrastructure of the United 
States [also defined in the regulation] to resist intrusion, interference, 
compromise, theft, or incapacitation by either physical or computer- 
based attack or other similar conduct that violates Federal, State, or local 
law; harms interstate, international commerce of the United States; or 
threatens public health or safety; 

2. Any current viable assessment, projection, or estimate of the security 
vulnerability of any element of the critical infrastructure of the United 
States, specifically including, but not limited to vulnerability assessment, 
security testing, risk evaluation, risk-management planning, or risk audit; 
[and] 

3. Any currently applicable operational problem or solution regarding the 
security of any element of the critical infrastructure of the United States, 
specifically including but not limited to the repair, recovery, redesign, 
reconstruction, relocation, insurance, and continuity of operations of any 
element. 



47 U.S. Department of Agriculture, Control and Protection of “Sensitive Security 
Information, ” Departmental Regulation 3440-002, Jan. 30, 2003, available at 
[http://www.ocio.usda.gov/directives/doc/DR3440-002.htm]. 

48 Section 1.7 of E.O. 12958, as amended, states, in part: “(a) In no case shall information 
be classified in order to: (1) conceal violations of law, inefficiency, or administrative error; 
(2) prevent embarrassment to a person, organization, or agency; (3) restrain competition; or 
(4) prevent or delay the release of information that does not require protection in the interest 
of the national security, (b) Basic scientific research information not clearly related to the 
national security shall not be classified.” 
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As a fourth item in the above quoted definition of SSI, the regulation provides 
the following categories “for illustration purposes only as examples of the types of 
information (regardless of format) that may be categorized as SSI.” 

1. Physical security status of USD A laboratories, research centers, field 

facilities, etc., which may also contain vulnerabilities; 

2. Investigative and analytical materials concerning information about 

physical security at USDA facilities such as the above-named facilities; 

3. Information that could result in physical risk to individuals; 

4. Information that could result in serious damage to critical facilities 

and/or infrastructures; [and] 

5. Cyber Security information, which includes, but is not limited to 

a. Network Drawings or Plans 

b. Program and System Security Plans 

c. Mission Critical and Sensitive Information Technology (IT) 

Systems and Applications 

d. Capital Planning and Investment Control Data (I-TIPS) 

e. IT Configuration Management Data and Libraries 

f. IT Restricted Space (Drawings, Plans and Equipment Specifications 
as well as actual space) 

g. Incident and Vulnerability Reports 

h. Risk Assessment Reports, Checklists, Trusted Facilities Manual and 
Security Users Guide [and] 

i. Cyber Security Policy Guidance and Manual Chapters 

Specific responsibilities are prescribed for senior USDA officials, heads of 
department organizations, the Office of the Chief Information Officer, and the Office 
of the General Counsel. Among the responsibilities specified for USDA agencies 
and staff offices are the following: 

• Ensure that adequate security measures and procedures are 
implemented to protect SSI. 

• Ensure that employees of their organization are aware of their 
responsibility to protect SSI. 

• Determine the potential harm resulting from the loss, misuse, or 
unauthorized access to or modification of SSI in their custody. 

• Ensure that prompt and appropriate disciplinary action is taken 
against personnel responsible for unauthorized disclosure of SSI. 

Regarding FOIA requests for access to SSI, the regulation instructs that these 
should be processed “in accordance with USDA regulations and the Attorney 
General’s FOIA Memorandum of October 12, 2001,” which is appended to the 
regulation, “with consideration of all applicable FOIA exemptions, including” four 
identified as “Potentially Applicable to SSI.” 

The departmental regulation does not cite any statutory authority for its 
issuance. 




http://wikileaks.org/wiki/CRS-RL33494 



CRS-16 



TSA/DOT Marking 

Originally established within the Department of Transportation (DOT) by the 
Aviation and Transportation Security Act (ATS A) of 2001, 49 the Transportation 
Security Administration (TSA) was subsequently transferred to the newly created 
Department of Homeland Security (DHS) by the Homeland Security Act of 2002. 50 
The ATSA was signed into law two months after the September 1 1 terrorist attacks 
on the World Trade Center and the Pentagon. Shortly thereafter, in a February 15, 
2002, notice, DOT announced that TSA was assuming civil aviation security 
functions and responsibilities as provided by the ATSA, as well as those being 
transferred which had previously been performed by the Federal Aviation 
Administration (FAA), another DOT subunit. 51 A week later, DOT issued in final 
form, without prior notice or opportunity for public comment, new civil aviation 
security rules. 52 These rules were prompted by the enactment of the ATSA and the 
assumption of FAA civil aviation security functions and responsibilities by the TSA. 
Among them was a new part 1520 of Title 49 of the Code of Federal Regulations 
concerning the protection of “Sensitive Security Information.” This new concept, it 
was explained, “includes information about security programs, vulnerability 
assessments, technical specifications of certain screening equipment and objects used 
to test screening equipment, and other information.” 53 A little over two years later, 
however, these rules were superseded. 

TSA/DOT Management 

On May 18, 2004, DOT and DHS jointly published, as an interim, final rule 
with request for comments, revised regulations concerning the protection of SSI. In 
the summary, it was noted that “TSA is revising its regulation governing the 
protection of sensitive security information (SSI) in order to protect the 
confidentiality of maritime security measures adopted under the U.S. Coast Guard’s 
regulations, published on October 22, 2003, implementing the Maritime 
Transportation Security Act (MTSA) and other activities related to port and maritime 
security.” It was further explained that, “with this revision to the regulations, TSA 
is requiring employees, contractors, grantees, and agents of DHS and DOT to follow 
the same requirements governing protection of SSI as those in the transportation 
sector who are subject to the regulation.” 54 The interim rule was issued as 49 C.F.R. 
Part 15 for the Office of the Secretary of Transportation and as 49 C.F.R. Part 1520 
for the TSA. 

In the review of the statutory and regulatory background to the rule, the 
observation was proffered that, “situations in which information constitutes both SSI 



49 115 Stat. 597. 

50 116 Stat. 2135 at 2185. 

51 Federal Register , vol. 67, Feb. 20, 2002, pp. 7939-7940. 

52 Ibid., Feb. 22, 2002, pp. 8340-8384. 

53 Ibid., p. 8342. 

54 Ibid., vol. 69, May 18, 2004, p. 28066. 
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and CII,” the latter being another type of data known as critical infrastructure 
information, “may be limited.” Pursuant to the Critical Infrastructure Information 
(CII) Act, a subtitle of the Homeland Security Act, 55 CII, it was explained, “is 
voluntarily submitted by the private sector to the Federal Government” and the 
statute “generally prohibits Federal agencies from disclosing such information, 
except within the Federal Government and to State and local governments in order 
to protect critical infrastructure.” The following comparison was then offered: 

information constituting SSI generally is not voluntarily submitted to the 
government, which is required for the CII designation. In addition, SSI relates 
to both critical and noncritical infrastructure assets. There may be cases, 
however, where the owner or operator of a critical transportation asset 
voluntarily submits information, such as a vulnerability assessment, to TSA or 
the Coast Guard. If that information were to be designated by DHS as CII, it 
would be governed by the requirements of handling of CII, rather than by the SSI 
regulation. 

Another key difference between SSI and CII is the extent to which a Federal 
employee may disclose such information. Under the SSI regulation, TSA may 
disclose SSI to persons with a need to know in order to ensure transportation 
security. This includes persons both within and outside the Federal Government. 

The CII Act, however, generally prohibits disclosure of properly designated CII 
outside the Federal Government. Thus, the interim final rule clarifies that in 
cases where information is both SSI and CII, the receipt, maintenance, or 
disclosure of such information by a Federal agency or employee is governed by 
the CII Act and any implementing regulations, by not the interim final rule. 56 

The interim final rule was composed of 10 subsections. The first of these 
pertained to the scope of the part, explaining it “does not apply to the maintenance, 
safeguarding, or disclosure of classified national security information,” and the 
second defined terms used in the part. 57 The third subsection explained what 
constituted SSI in the following terms: 

(a) In general.... SSI is information obtained or developed in the conduct 
of security activities, including research and development, the disclosure of 
which ... would — 

(1) Constitute an unwarranted invasion of privacy (including, but not 
limited to, information contained in any personnel, medical, or similar file); 

(2) reveal trade secrets or privileged or confidential information obtained 
from any person; or 

(3) Be detrimental to transportation safety. 

(b) Information constituting SSI. Except as otherwise provided in writing 
... in the interest of public safety or in furtherance of transportation security, the 
following information, and records containing such information, constitute SSI: 

(1) Security programs and contingency plans. Any security program or 
security contingency plan issued, established, required, received, or approved by 
DOT or DHS, including — 



55 See 116 Stat. 2150. 

56 Federal Register, vol. 69, May 18, 2004, p. 28069. 

57 Ibid., pp. 28078, 28082. 
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(1) Any aircraft operator or airport operator security program or security 
contingency plan under this chapter; 

(ii) Any vessel, maritime facility, or port area security plan required or 
directed under Federal law; 

(iii) Any national or area security plan prepared under 46 U.S.C. 70103; 

and 

(iv) Any security incident response plan established under 46 U.S.C. 70104. 

(2) Security Directives. Any Security Directive or order — 

(i) Issued by TSA under 49 CFR 1542.303, 1544.305, or other authority; 

(ii) Issued by the Coast Guard under the Maritime Transportation Security 
Act, 33 CFR part 6, or 33 U.S.C. 1221 et seq. Related to maritime security; or 

(iii) Any comments, instructions, and implementing guidance pertaining 
thereto. 

(3) Information Circulars. Any notice issued by DHS or DOT regarding 
a threat to aviation or maritime transportation, including any — 

(i) Information Circular issued by TSA under 49 CFR 1542.303 or 
1544.305, or other authority; and 

(ii) Navigation or Vessel Inspection Circular issued by the Coast Guard 
related to maritime security. 

(4) Performance specifications. Any performance specification and any 
description of a test object or test procedure, for — 

(i) Any device used by the Federal government or any other person pursuant 
to any aviation or maritime transportation security requirement of Federal law 
for the detection of any weapon, explosive, incendiary, or destructive device or 
substance; and 

(ii) Any communications equipment used by the Federal government or any 
other person in carrying out or complying with any aviation or maritime 
transportation security requirements of Federal law. 

(5) Vulnerability assessments. Any vulnerability assessment directed, 
created, held, funded, or approved by the DOT, DHS, or that will be provided to 
DOT or DHS in support of a Federal security program. 

(6) Security inspection or investigative information, (i) Details of any 
security inspection or investigation of an alleged violation of aviation or 
maritime transportation security requirements of Federal law that could reveal 
a security vulnerability, including the identity of the Federal special agent or 
other Federal employee who conducted the inspection or audit. 

(ii) In the case of inspections or investigations performed by TSA, this 
includes the following information as to events that occurred within 12 months 
of the date of release of the information: the name of the airport where a 
violation occurred, the airport identifier in the case number, a description of the 
violation, the regulation allegedly violated, and the identity of any aircraft 
operator in connection with specific locations or specific security procedures. 
Such information will be released after the relevant 12-month period, except that 
TSA will not release the specific gate or other location on an airport where an 
event occurred, regardless of the amount of time that has passed since its 
occurrence. During the period within 12 months of the date of release of the 
information, TSA may release summaries of an aircraft operator’s, but not an 
airport operator’s, total security violations in a specified time range without 
identifying specific violations or locations. Summaries may include total 
enforcement actions, total proposed civil penalty amounts, number of cases 
opened, number of cases referred to TSA or FAA counsel for legal enforcement 
action, and number of cases closed. 

(7) Threat information. Information held by the Federal government 
concerning threats against transportation or transportation systems and sources 
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and methods used to gather or develop threat information, including threats 
against cyber infrastructure. 

(8) Security measures. Specific details of aviation or maritime 
transportation security measures, both operational and technical, whether applied 
directly by the Federal government or another person, including — 

(i) Security measures or protocols recommended by the Federal 
government; 

(ii) Information concerning the deployments, numbers, and operations of 
Coast Guard personnel engaged in maritime security duties and Federal Air 
Marshals, to the extent it is not classified national security information; and 

(iii) Information concerning the deployments and operations of Federal 
Flight Deck Officers, and number of Federal Flight Deck Officers aggregated by 
aircraft operator. 

(9) Security screening information. The following information concerning 
security screening under aviation or maritime transportation security 
requirements of Federal law: 

(i) Any procedures, including selection criteria and any comments, 
instructions, and implementing guidance pertaining thereto, for screening of 
persons, accessible property, checked baggage, U.S. mail, stores, and cargo, that 
is conducted by the Federal government or any other authorized person. 

(ii) Information and sources of information used by a passenger or property 
screening program or system, including an automated screening system. 

(iii) Detailed information about the locations at which particular screening 
methods or equipment are used, only if determined by TSA to be SSI. 

(iv) Any security screener test and scores of such tests. 

(v) Performance or testing data from security equipment or screening 
systems. 

(vi) Any electronic image shown on any screening equipment monitor, 
including threat images and descriptions of threat images for threat image 
projection systems. 

(10) Security training materials. Records created or obtained for the 
puipose of training persons employed by, contracted with, or acting for the 
Federal government or another person to carry out any aviation or maritime 
transportation security measures required or recommended by DHS or DOT. 

(11) Iden tifying information of certain transportation security personnel. 

(i) Lists of the names of or other identifying information that identify 
persons as — 

(A) Having unescorted access to a secure area of an airport or a secure or 
restricted area of a maritime facility, port area, or vessel; or 

(B ) Holding a position as a security screener employed by or under contract 
with the Federal government pursuant to aviation or maritime transportation 
security requirements of Federal law, where such lists are aggregated by airport; 

(C) Holding a position with the Coast Guard responsible for conducting 
vulnerability assessments, security boardings, or engaged in operations to enforce 
maritime security requirements or conduct force protection; 

(D) Holding a position as a Federal Air Marshal; or 

(ii) The name or other identifying information that identifies a person as a 
current, former, or applicant for Federal Flight Deck Officer. 

(12) Critical aviation or maritime infrastructure asset information. Any 
list identifying systems or assets, whether physical or virtual, so vital to the 
aviation or maritime transportation system that the incapacity or destruction of 
such assets would have a debilitating impact on transportation security, if the list 
is — 



(i) Prepared by DHS or DOT ; or 
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(ii) Prepared by a State or local government agency and submitted by the 
agency to DHS or DOT. 

(13) Systems security information. Any information involving the security 
of operational or administrative data systems operated by the Federal government 
that have been identified by the DOT or DHS as critical to aviation or maritime 
transportation safety or security, including automated information security 
procedures and systems, security inspections, and vulnerability information 
concerning those systems. 

(14) Confidential business information, (i) Solicited or unsolicited 
proposals received by DHS or DOT, and negotiations arising therefrom, to 
perform work pursuant to a grant, contract, cooperative agreement, or other 
transaction, but only to the extent that the subject matter of the proposal relates 
to aviation or maritime transportation security measures; 

(ii) Trade secret information, including information required or requested 
by regulation or Security Directive, obtained by DHS or DOT in carrying out 
aviation or maritime transportation security responsibilities; and 

(iii) Commercial or financial information, including information required 
or requested by regulation or Security Directive, obtained by DHS or DOT in 
carrying out aviation or maritime transportation security responsibilities, but only 
if the source of the information does not customarily disclose it to the public. 

(15) Research and development. Information obtained or developed in the 
conduct of research related to aviation or maritime transportation security 
activities, where such research is approved, accepted, funded, recommended, or 
directed by the DHS or DOT, including research results. 

(16) Other information. Any information not otherwise described in this 
section that TSA determines is SS under 49 U.S.C. 1 14(s) or that the Secretary 
of DOT determines is SSI under 49 U.S.C. 401 19. Upon the request of another 
Federal agency, the Secretary of DOT may designate as SSI information not 
otherwise described in this section. 58 

The fourth subsection generically identified persons subject to the requirements 
of the part, and restrictions on the disclosure of SSI by these “covered persons” were 
prescribed in the fifth subsection. These included taking “reasonable steps to 
safeguard SSI in that person’s possession or control from unauthorized disclosure,” 
and, when not in physical possession of SSI, storing it in “a secure container, such 
as a locked desk or file cabinet, or in a locked room.” Unless otherwise authorized 
in writing, SSI could be disclosed “only to covered persons who have a need to 
know,” who were described in the sixth subsection. “If a covered person receives a 
record containing SSI that is not marked,” he or she must so mark the material and 
inform the sender of the need to so identify SSI. Furthermore, when a covered 
person “becomes aware that SSI has been released to unauthorized persons,” he or 
she “must promptly inform TSA or the applicable DOT or DHS component or 

”59 

agency. 

The seventh subsection pertained to marking records containing SSI, including 
the front and back covers, the title page, and each page of the document with the 



58 Ibid., pp. 28079-28080, 28082-28084. 

59 Ibid., pp. 28080-28081, 28084. 
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Sensitive Security Information label. A distribution limitation statement was also 
prescribed for inclusion with the marked record. 60 

SSI disclosure was discussed in the eighth subsection. Pursuant to “a proper 
Freedom of Information Act or Privacy Act request,” a responsive record may be 
disclosed “with the SSI redacted, provided the record is not otherwise exempt from 
disclosure” under other provisions of these laws. The part did not preclude the 
disclosure of SSI “to a committee of Congress authorized to have the information or 
to the Comptroller General, or to any authorized representative of the Comptroller 
General.” Discretionary allowance was made for the disclosure of SSI in an 
administrative enforcement proceeding, but provision was made for requiring a 
security background check for parties to the proceedings to whom SSI would be 
disclosed. 61 

The ninth subsection indicated that violation of the part “is grounds for a civil 
penalty and other enforcement or corrective action ..., and appropriate personnel 
actions for Federal employees.” The subsection continued, saying: “Corrective 
action may include issuance of an order requiring retrieval of SSI to remedy 
unauthorized disclosure or an order to cease future unauthorized disclosure.” 62 

Finally, the 10 lh subsection, while acknowledging Federal Records Act 
requirements to preserve records containing documentation of a federal agency’s 
policies, decisions, and essential transactions, authorized the destruction of SSI when 
it is no longer needed to carry out agency functions. “A covered person,” according 
to the subsection, “must destroy SSI completely to preclude recognition or 
reconstruction of the information when the covered person no longer needs the SSI 
to carry out transportation security measures,” but this provision “does not require 
a State or local government agency to destroy information that the agency is required 
to preserve under State or local law.” 63 

As produced in the 2004 edition of Title 49, Code of Federal Regulations, Part 
15 cited one statutory provision as authority for its issuance: 49 U.S.C. 40119, 
directing the conduct of research and development activities to develop, modify, test, 
and evaluate a system, procedures, facility, or device to protect passengers and 
property against acts of criminal violence and piracy in transportation. Part 1520, 
however, cited several statutory provisions in this regard: 

• 46 U.S.C. §§ 70102-70106, basically deriving from the MTSA, and 
authorizing United States facility and vessel vulnerability 
assessments, a national maritime transportation security plan, 
security incident response plans for vessels and facilities that may be 
involved in a transportation security incident, the issuance of 



60 Ibid., pp. 28081,28085. 

61 Ibid., pp. 28081,28085. 

62 Ibid., pp. 28082, 28085. 

63 Ibid. 
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transportation security cards, and the establishment of maritime 
safety and security teams. 64 

• 46 U.S.C. § 70117, basically deriving from the MTSA, and 
establishing a civil penalty for violations of the port security chapter 
or any regulation issued pursuant to it. 65 

• 49 U.S.C. § 1 14, basically deriving from the ATSA and mandating 
the TSA and the related DOT Transportation Security Oversight 
Board, 66 and which was subsequently amended by the Homeland 
Security Act to authorize (with the addition of Subsection 1 14(s)) 
the prescribing of “regulations prohibiting the disclosure of 
information obtained or developed in carrying out security under 
authority of’ the ATSA “if the Under Secretary decides that 
disclosing the information would (A) be an unwarranted invasion of 
personal privacy; (B) reveal a trade secret or privileged or 
confidential commercial or financial information; or (C) be 
detrimental to the security of transportation.” 67 

• 49 U.S.C. § 401 13, prescribing general authority for the Secretary of 
Transportation, Under Secretary of Transportation for Security, or 
Administrator of the FAA, as appropriate, to take necessary action 
to carry out this part, including conducting investigations, 
prescribing regulations, standards, and procedures, and issuing 
orders. 

• 49 U.S.C. §§ 44901-44907, prescribing security requirements for the 
Administrator of the FAA to prescribe regulations concerning the 
screening of passengers and property, the conditions for refusal of 
transport by intrastate and foreign air carriers, and the protection of 
passengers and property on an aircraft operating in air transportation 
or intrastate air transportation against an act of criminal violence or 
aircraft piracy; to assess, in conjunction with the Director of the FBI, 
current and potential threats to the domestic air transportation 
system; and to not approve a security program of a foreign air carrier 
unless it requires the foreign air carrier, in its operations to and from 
airports in the United States, to adhere to the identical security 
measures that the Administrator requires air carriers serving the 
same airports to adhere to. These provisions also require, under 
guidelines prescribed by the Secretary of Transportation, that an air 
carrier, airport operator, ticket agent, or an individual employed by 
same, receiving information about a threat to civil aviation provide 
that information promptly to the Secretary; and direct the Secretary, 



64 See 1 16 Stat. 2064 at 2068-2075. 

65 116 Stat. 2084. 

66 115 Stat. 597. 

67 116 Stat. 2135 at 2312. 
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at intervals considered necessary, to assess the effectiveness of the 
security measures at foreign airports served by an air carrier from 
which a foreign air carrier serves the United States or that poses a 
high risk of introducing danger to international air travel, as well as 
other airports the Secretary considers appropriate. 

• 49 U.S.C. §§44913-44914, concerning the deployment andpurchase 
of explosives detection equipment and the development of airport 
construction guidelines. 

• 49 U.S.C. §§ 44916-44918, directing the Administrator of the FAA 
to require each air carrier and airport that provides for intrastate, 
interstate, or foreign air transport to conduct periodic vulnerability 
assessments of the security systems of that air carrier or airport, to 
perform periodic audits of such assessments, and to conduct periodic 
and unannounced inspections of security systems of airports and air 
carriers to determine the effectiveness and vulnerabilities of such 
systems; 68 authorizing the Under Secretary for Transportation 
Security to deploy and otherwise provide for the training, 
supervision, equipping, and air carrier accommodation of federal air 
marshals; and authorizing the development of detailed guidance for 
a scheduled passenger air carrier flight and cabin crew training 
program to prepare crew members for potential threat conditions. 69 

• 49 U.S.C. §§ 44935-44936, directing the Administrator of the FAA 
to prescribe standards for the employment and continued 
employment of, and contracting for, air carrier personnel and airport 
security personnel, as well as requiring by regulation employment 
investigations, including criminal history record checks, for 
individuals employed in, or applying for, positions in airport 
operations and security. 

• 49 U.S.C. § 44942, authorizing the Under Secretary for 
Transportation Security to establish performance goals and 
objectives for aviation security. 

• 49 U.S.C. § 46105, concerning the effectiveness of prescribed 
regulations and orders of the Secretary of Transportation, Under 
Secretary for Transportation Security, and Administrator of the FAA 
regarding security duties and powers, as well as the amendment, 
modification, suspension, or superseding of such issuances. 

This represents a slight increase in statutory authority cited in support of Part 
1520 as it appears in the 2004 Code of Federal Regulations when compared with the 
version appearing in the 2002 edition. 



68 Added by 1 10 Stat. 3253. 

69 Added by 1 15 Stat. 606 and 610. 
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Management Regime Comparison 

Presidentially prescribed arrangements for the management of classified national 
security information have been operative for over half a century. The initial directive 
in this regard, as noted earlier, was issued in March 1940, and, thereafter, successor 
orders largely narrowed the bases and discretion for assigning official secrecy, and 
increasingly detailed the management regime for security classified materials. In 
Table 1 below, various aspects of the current management regime for classified 
information, as prescribed by E.0. 12958, as amended, are set out in comparison with 
the SSI management arrangements prescribed by USDA and TSA/DOT. 



Table 1. Management of Security Classified Information 

and SSI Compared 



Management 

Consideration 


E.O. 12958, 
as amended 


USDA SSI 
(Reg. 3440- 
002) 


TSA/DOT SSI 
(49 CFR 15) (49 
CFR 1520) 


Principal terms defined 


Yes 


Yes 


Yes 


Original users of marking 
authority specified 


Yes 


Yes 


No - generic 
covered 
persons 


Delegation of marking 
authority in writing 


Yes 


Not clear 


No 


Exclusive categories of 
protectable information 
specified 


Yes 


Yes 


Yes 


Duration of marking or 
protection specified 


Yes 


Yes 


No 


Date or event for 
termination of 

marking/protection specified 


Yes 


No 


No 


Identity of original marker 
specified 


Yes 


No 


No 


Prohibitions and limitations 
for markings specified 


Yes 


Yes 


No 


Authorized challenges on 
propriety of marking 


Yes 


No 


No 


Mandatory reviews to 
determine continued need 
for protection 


Yes 


No 


No 


Appellate review of 
unsuccessful challenges or 
mandatory review outcomes 


Yes 


No 


No 


System oversight vested in 
specified entity or official 


Yes 


Yes 


No 
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In general, the management regime for SSI prescribed by USDA does not appear 
to be as detailed as the regime prescribed by E.O. 12958, as amended, for classified 
national security information. However, the USDA regime for SSI does appear to 
be more detailed than the one prescribed by TSA for SSI, particularly regarding 
specification of users of the marking authority, limiting the duration of marking or 
protection, specifying prohibitions and limitations on the use of marking, and vesting 
system oversight in Departmental Administration (DA). This comparison is based 
upon the content of relevant regulations, but does not take into consideration actual 
implementation or administrative practice regarding those regulations. 

In June 2005, the Government Accountability Office (GAO) completed an 
assessment of TSA management of SSI. Among the results of that assessment are 
the following comments: 

• TSA does not have written policies and procedures, beyond its SSI 
regulations, providing criteria for determining what constitutes 
SSI. 70 

• In addition to lacking written guidance concerning SSI designation, 

TSA has no policies and procedures specifying clear 
responsibilities for officials who can designate SSI. 71 

• TSA lacks adequate internal controls to provide reasonable 
assurance that its SSI designation process is being consistently 
applied across TSA and for monitoring compliance with the 
regulations governing the SSI designation process, including 
ongoing monitoring of the process. 72 

• TSA has not developed policies and procedures for providing 
specialized training for all of its employees making SSI 
designations on how information is to be identified and evaluated 
for protected status. 73 

With a view to bringing “clarity, structure, and accountability to TSA’s SSI 
designation process,” GAO recommended “that the Secretary of the Department of 
Homeland Security direct the Administrator of the Transportation Security 
Administration to take the following four actions”: 

• establish clear guidance and procedures for using the TSA 
regulations to determine what constitutes SSI; 

• establish clear responsibility for the identification and designation 
of information that warrants SSI protection; 



70 U.S. Government Accountability Office, Transportation Security Administration: Clear 
Policies and Oversight Needed for Designation of Sensitive Security Information , GAO 
Report GAO-05-677 (Washington: June 2005), p. 3. 



71 Ibid., p. 4. 

72 Ibid., p. 5. 

73 Ibid., p. 6. 
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• establish internal controls that clearly define responsibility for 
monitoring compliance with regulations, policies, and procedures 
governing the SSI designation process and communicate that 
responsibility throughout TSA; and 

• establish policies and procedures within TSA for providing 
specialized training to those making SSI designations on how 
information is to be identified and evaluated for protected status. 74 



Implications for Information Sharing 

The importance of information sharing for combating terrorism and realizing 
homeland security was emphasized by the National Commission on Terrorist Attacks 
Upon the United States. 75 When fashioning the Homeland Security Act of 2002, 
Congress recognized that the variously identified and marked forms of sensitive but 
unclassified (SBU) information could be problematic with regard to information 
sharing. Section 892 of that statute specifically directed the President to prescribe 
and implement procedures for the sharing of information by relevant federal 
agencies, including the accommodation of “homeland security information that is 
sensitive but unclassified.” 76 

On July 29, 2003, the President assigned this responsibility largely to the 
Secretary of Homeland Security. 77 Nothing resulted. 

The importance of information sharing was reinforced two years later in the 
report of the Commission on the Intelligence Capabilities of the United States 
Regarding Weapons of Mass Destruction. 78 Congress again responded by mandating 
the creation of an Information Sharing Environment (ISE) when legislating the 
Intelligence Reform and Terrorism Prevention Act of 2004. 79 Preparatory to 
implementing the ISE provisions, the President issued a December 16, 2005, 
memorandum recognizing the need for standardized procedures for SBU information 
and directing department and agency officials to take certain actions relative to that 
objective. 80 In May 2006, the newly appointed manager of the ISE agreed with a 



74 Ibid., p. 7. 

75 See U.S. National Commission on Terrorist Attacks Upon the United States, The 9/11 
Commission Report (Washington: GPO, 2004), pp. 416-419. 

76 116 Stat. 2135 at 2253. 

77 E.O. 13311 in 3 C.F.R., 2003 Comp., pp. 245-246. 

78 See U.S. Commission on the Intelligence Capabilities of the United States Regarding 
Weapons of Mass Destruction, Report to the President of the United States (Washington: 
GPO, 2005), pp. 429-450. 

79 118 Stat. 3638 at 3664. 

80 The White House Office, Memorandum for the Heads of Executive Departments and 
Agencies, “Guidelines and Requirements in Support of the Information Sharing 
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March GAO assessment 81 that, oftentimes, SBU information, designated as such with 
some marking, was not being shared due to concerns about the ability of recipients 
to protect it adequately. 82 In brief, it appears that pseudo-classification markings 
have, in some instances, had the effect of deterring information sharing for homeland 
security purposes. 



Improving Classified Information Life Cycle 

Management 

In the current environment, still affected by the long shadow of the terrorist 
attacks of September 11, 2001, some long-standing difficulties attending the life 
cycle management of security classified information have become particularly acute. 
In July 2005, the New York Times observed editorially that the “Bush Administration 
is classifying the documents to be kept secret from public scrutiny at the rate of 125 
a minute. The move toward greater secrecy,” it continued, “has nearly doubled the 
number of documents annually hidden from public view — to well more than 15 
million last year, nearly twice the number classified in 200 1.” 83 As the number of 
classification actions has been largely increasing, the editorial also noted, the volume 
of declassified material has been decreasing, as the data in Table 2 below indicate. 
The situation appears to have slightly improved in 2005. These activities have 
related costs. Security classification expenses — which include personnel security, 
physical security, education and training, and management and planning — far 
exceed expenditures for declassification. 

Some relief of the situation may result from the automatic action — 
declassification, exemption for continued protection, or referral to other agencies — 
on classified records 25 or more years old mandated by the Clinton executive order 
and now scheduled to occur by December 31, 2006. Using agencies’ supplied 
information concerning their efforts to meet the deadline, ISOO, as of September 21, 
2005, estimated that 155 million pages of classified records were subject to automatic 
action, and “believes, for the most part, that the Executive branch is progressing 
toward fulfilling its responsibilities for these records by the deadline.” Of 46 
agencies affected, “ISOO was confident that 22 of those agencies will be prepared 
to implement the Automatic Declassification program by the deadline” and will 



80 (...continued) 

Environment,” Dec. 16, 2005, Washington, DC. 

81 U.S. Government Accountability Office, Information Sharing: The Federal Government 
Needs to Establish Policies and Processes for Sharing Terrorism- Related and Sensitive but 
Unclassified Information, p. 25. 

82 Prepared statement of Thomas E. McNamara, Program Manager for the Information 
Sharing Environment, Office of the Director of National Intelligence, before the House 
Committee on Homeland Security, Subcommittee on Intelligence, Information Sharing, and 
Terrorism Risk Assessment, May 10, 2006, Washington, D.C., pp. 8-9. 

Editorial, “The Dangerous Comfort of Secrecy,” New York Tunes, July 12, 2005, p. A22. 
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“work closely with the remaining 24 agencies to ensure that they allocate sufficient 
resources to meet the requirement.” 84 



Table 2. Information Moving In and Out of Classified Status 



Fiscal Year 


New Classifi- 
cation Actions 


Declassified 

Pages 


Classification 

Cost 


Declassifi- 
cation Cost 


2001 


8,650,735 


100,104,990 


$4.5 billion 


$232 million 


2002 


11,271,618 


44,365,711 


$5.5 billion 


$113 million 


2003 


14,228,020 


43,093,233 


$6.4 billion 


$54 million 


2004 


15,645,237 


28,413,690 


$7.1 billion 


$48 million 


2005 


14,206,773 


29,540,603 


$7.7 billion 


$57 million 


2006 


20,556,445 


37,647,993 


$8.2 billion 


$44 million 



Source: Data from U.S. National Archives and Records Administration, Information Security 
Oversight Office, Report to the President 2001 (Washington: Sept. 2002), pp. 7-8, 16; U.S. National 
Archives and Records Administration, Information Security Oversight Office, Report to the President 
2002 (Washington: June 2003), pp. 14-15, 26; U.S. National Archives and Records Administration, 
Information Security Oversight Office, Report to the President 2003 (Washington: Mar. 2004), pp. 
20, 25; U.S. National Archives and Records Administration, Information Security Oversight Office, 
Report to the President 2004 (Washington: Mar. 2005), pp. 15, 17; U.S. National Archives and 
Records Administration, Information Security Oversight Office, Report to the President 2005 
(Washington: May 2006), pp. 13, 15; U.S. National Archives and Records Administration, 
Information Security Oversight Office, Report to the President 2006 (Washington: May 2007), pp. 
6, 22, 29-30; U.S. National Archives and Records Administration, Information Security Oversight 
Office, 2003 Report on Cost Estimates for Security Classification Activities (Washington: July 2004), 
pp. 2-3; U.S. National Archives and Records Administration, Information Security Oversight Office, 
Report on Cost Estimates for Security Classification Activities for 2004 (Washington: May 2005), p. 
3; U.S . National Archives and Records Administration, Information Security Oversight Office, Report 
on Cost Estimates for Security Classification Activities for 2005 (Washington: 2006), pp. 2, 5. 



Whereas the automatic declassification effort is aimed at reducing the quantity 
of older records which no longer merit protected status or preservation, the 
Interagency Security Classification Appeals Panel (ISCAP), also created by the 
Clinton order, is available to address qualitative issues concerning classified 
information. ISCAP is composed of senior level representatives of the Secretary of 
State, Secretary of Defense, Attorney General, Director of Central Intelligence, 
Archivist of the United States, and Assistant to the President for National Security 
Affairs. The President selects the panel’s chair from among its members. The 
director of the Information Security Oversight Office (ISOO), which is the 
government-wide overseer of the security classification program, serves as the 
ISCAP executive secretary. The panel makes final determinations on classification 
challenges appealed to it by government employees or the public; approves, denies, 
or amends exemptions from automatic declassification sought by agencies; makes 
final determinations on mandatory declassification review requests appealed to it; 



84 U.S. National Archives and Records Administration, Information Security Oversight 
Office, Report to the President 2005 (Washington: May 2006), p. 19. 
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and generally advises and assists the President in the discharge of his discretionary 
authority to protect the national security of the United States. The recent review 
activities of ISCAP are detailed in Table 3. 

Table 3. ISCAP Decisions 



Year 


Documents 

Reviewed 


Declassified 
in Full 


Declassified 
in Part 


Affirmed 

Classification 


2001 


34 


8 (23%) 


21 (62%) 


5 (15%) 


2002 


49 


9 (18%) 


17 (35%) 


23 (47%) 


2003 


106 


3 (3%) 


80 (75%) 


23 (22%) 


2004 


159 


1 1 (7%) 


30(19%) 


118 (74%) 


2005 


81 


21 (26%) 


44 (54%) 


16 (20%) 


2006 


675 


139 (21%) 


294 (43%) 


242 (36%) 



Source: Data from U.S. National Archives and Records Administration, Information Security 
Oversight Office, Report to the President 2001 , p. 5; U.S. National Archives and Records 
Administration, Information Security Oversight Office, Report to the President 2002, p. 9; U.S. 
National Archives and Records Administration, Information Security Oversight Office, Report to the 
President 2003, p. 9; U.S. National Archives and Records Administration, Information Security 
Oversight Office, Report to the President 2004, p. 7; U.S. National Archives and Records 
Administration, Information Security Oversight Office, Report to the President 2005 (Washington: 
May 2006), p. 5; U.S. National Archives and Records Administration, Information Security Oversight 
Office, Report to the President 2006 (Washington: May 2007), p. 6. 



Finally, an issue recently arose concerning the selective withdrawal of 
declassified records from public access at the National Archives and Records 
Administration (NARA) for reclassification. This activity came to public attention 
on February 21, 2006, when the National Security Archive, a private sector research 
and resource center located at The George W ashington University, published a report 
about the discovery on its website. 85 A news account was also simultaneously 
published in the New York Times , 86 Initial reported indications were that, beginning 
in 1999, intelligence agencies, pursuant to a secret agreement with the National 
Archives and Records Administration (NARA), began secretly removing declassified 
records from public access and had reclassified more than 55,000 of them. The effort 
was apparently an attempt to reverse what some regarded as a hasty compliance with 
the Automatic Declassification program prescribed in the Clinton order and directed 
at classified records more than 20 years old. It was discovered, however, that several 



85 Matthew M. Aid, Declassification in Reverse: The U.S. Intelligence Community’ s Secret 
Historical Document Reclassification Program, National Security Archive Report 
(Washington: Feb. 21, 2006), available at [http://www.gwu.edu/~nsarchiv/NSAEBB/ 
NSAEBB179/]. 

86 Scott Shane, “U.S. Reclassifies Many Documents in Secret Review,” New York Times, 
Feb. 21, 2006, pp. Al, A16. 
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of the reclassified documents had been previously published in the Department of 
State’s history series, Foreign Relations of the United States. Other reclassified 
records were regarded to be rather innocuous, such as a 1948 memorandum on a 
Central Intelligence Agency (CIA) plan to float balloons over communist countries 
in Eastern Europe and drop propaganda leaflets; a premature CIA assessment in 
October 1950 that Chinese intervention in the Korean War was “not probable in 
1950,” but actually occurred late in that month; and a 1962 telegram from 
Ambassador to Yugoslavia George F. Kennan containing an English translation of 
a Belgrade newspaper article on the Chinese nuclear weapons program. The Times 
story indicated that the director of ISOO, after reviewing 16 withdrawn records and 
concluding that none of them should have been reclassified, had ordered an audit of 
the reclassification effort. 

The results of the ISOO audit were released on April 26, 2006. Agencies 
conducting the re-reviews of withdrawn records since 1995 included the CIA, the 
Department of Energy, the Department of the Air Force (USAF), and the Federal 
Emergency Management Agency. Their efforts “resulted in the withdrawal of at least 
23,315 publicly available records; approximately 40 percent were withdrawn because 
the reviewing agency purported that its classified information had been designated 
unclassified without its permission and about 60 percent were identified by the 
reviewing agency for referral to another agency for declassification or other public 
disclosure review.” 87 In reviewing a sample of 1,353 of the withdrawn records, ISOO 
concluded that 64 percent of them “did, in fact, contain information that clearly met 
the standards for continued classification,” said the audit report. ISOO also found 
that 24% of the sampled records “were clearly inappropriate for continued 
classification,” and “an additional 12 percent were questionable.” Overall, said the 
audit report, “Depending upon the review effort, the sample of records withdrawn 
clearly met the standards for continued classification anywhere from 50 percent to 
98 percent of the time.” 88 

Why did this withdrawal and reclassification of records happen? ISOO offered 
the following explanation: 

There are a number of contributing factors to the issues identified by this audit. 
Sufficient quality control and oversight by both the agencies and ISOO has been 
lacking, as has proper documentation for declassification decisions. In addition, 
NARA has, at times, acquiesced too readily to the re -review efforts or 
withdrawal decisions of agencies. Additionally, NARA has not had the 
necessary resources available to keep pace with agencies’ re -review activity, let 
alone the overall declassification activity of the recent past which has resulted 



87 U.S. National Archives and Records Administration, Information Security Oversight 
Office, Audit Report: Withdrawal of Records from Public Access at the National Archives 
and Records Administration for Classification Purposes (Washington: Apr. 26, 2006), p. 
1 ; also see Christopher Lee, “Some Archives Files Wrongly Kept Secret,” Washington Post, 
Apr. 27, 2006, p. A25; Scott Shane, “National Archives Says Records Were Wrongly 
Classified,” New York Times, Apr. 27, 2006, p. A24. 

88 U.S. National Archives and Records Administration, Information Security Oversight 
Office, Audit Report: Withdrawal of Records from Public Access at the National Archives 
and Records Administration for Classification Purposes, p. 1 . 
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in the accumulation of hundreds of millions of previously classified pages which 
require processing by NARA. The most significant deficiency identified by this 
audit, however, was the absence of standards, including requisite levels of 
transparency, governing agency re -review activity at NARA. Absent these, 
NARA along with CIA and USAF resorted to ad hoc agreements that, in 
retrospect, all recognize should never have been classified in the first place. 89 

Regarding remedial actions, the audit report offered the following: 

As a result of this audit, the affected agencies have agreed to abide by interim 
guidance that includes provisions that require the public to be informed that 
records have been formally withdrawn from public access at NARA due to 
classification action as well as how many records are affected. Prior to official 
promulgation in regulation, this interim guidance will be fully coordinated, to 
include an opportunity for public comment. In addition, in response to many of 
the challenges highlighted by this audit, the principal agencies involved in 
conducting classification reviews of records accessioned into NARA have 
agreed, in principle, to create a pilot National Declassification Initiative, in order 
to more effectively integrate the work they are doing in this area. This initiative 
will address the policies, procedures, structure, and resources needed to create 
a more reliable Executive branch-wide declassification program. 

In response to the findings of this audit, the Director [of ISOO] is writing to all 
agency heads asking for their personal attention in a number of critical areas, to 
include facilitating classification challenges and routinely sampling current 
classified information in order to determine the validity of classification actions. 
In addition, ISOO will be initiating a number of training efforts in support of 
these objectives. Finally, agency heads will be requested to provide a status 
report within 120 days on the action taken with respect to these initiatives as well 
as with regard to the recommendations contained within this audit report. ISOO 
will report publicly on these actions. 90 



Remedial Legislation 



H.R. 984 (Waxman) 

Executive Branch Reform Act of 2007. Among other provisions, Section 7 
would require each federal agency, not later than six months after the date of the 
enactment of the legislation, to submit to the Archivist of the United States and 
specified congressional committees a report, with certain details, describing their use 
of “pseudo” classification designations; would require the Archivist, not later than 
nine months after the date of the enactment of the legislation, to issue to specified 
congressional committees a report based on the agency submissions, as well as input 
from the Director of National Intelligence, federal offices, and contractors, with an 
opportunity for public comment on this report; would require the Archivist, not later 



89 Ibid., p. 2. 

90 Ibid. 
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than 15 months after date of the enactment of the legislation, to promulgate 
regulations banning the use of “pseudo” classification designations, with standards 
for exceptions for control markings other than those used for classifying national 
security information; and would require the Archivist to review existing statutes that 
allow agencies, offices, and contractors to control, protect, or otherwise withhold 
information based on security concerns, and make recommendations on potential 
changes to the statutes so reviewed with a view to improving public access to 
information governed by them. Introduced February 12, 2007, and referred to the 
Committee on Oversight and Government Reform. 

H.R. 4806 (Harman) 

Reducing Over-Classification Act. Requires the Secretary of Homeland 
Security to develop a strategy that will (1) allow the security classification of records 
only after unclassified, shareable versions of intelligence have been produced; (2) 
develop a new “sensitive and shared” information program that will provide 
protections for certain sensitive and unclassified information for limited periods of 
time under narrowly tailored circumstances; (3) propose new incentives and 
disincentives to encourage Department of Homeland Security personnel to classify 
records properly and to use “sensitive and shared” markings sparingly; (4) create 
training programs and auditing mechanisms for all department employees in order 
to ensure that the mandated strategy is being implemented properly; (5) establish an 
independent department declassification review board to expedite the declassification 
of records when the need for public access outweighs the need to classify; and (6) 
propose legislative solutions to ensure that the strategy is implemented in a way that 
not only promotes security, but also fosters both information sharing and the 
protection of privacy and other civil rights. 91 Introduced December 18, 2007, and 
referred to the Committee on Homeland Security. 
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